Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Accessing low security zone

server 1(IP add 10.24.112.5 & Gateway is 10.24.112.1) in zone with security 50 needs to access servers (ip add 192.168.3.3 & Gateway is 192.168.3.1)in zone with security 20.

Kindly suggest how to accomplish this.

I have tried putting route in the router

ip route 192.168.3.0 255.255.255.0 10.24.112.1

and permit any any on the firewall but ping stops at the router . kindly suggest ???

Diagram is attached herewith.

5 REPLIES
New Member

Re: Accessing low security zone

Hi,

no route is required in the router for accessing server from 10.24.112.0/24 to 192.168.3.0/24. Even you want to add a route the route which you added is wrong.

it should be like: ip route 192.168.3.0 255.255.255.0 10.24.112.254.

For accessing your servers with ip any any statement, you need to apply ip any any statement on both the interfaces of the firewall.

Thanks

AP

New Member

Re: Accessing low security zone

i have put the same route

ip route 192.168.3.0 255.255.255.0 10.24.112.254 ( mistakenly i put wrong route in post ) .

i have applied any any statement on both interface but still not able to access servers in 192.168.3.0 zone. is this correct that we need natting to access servers in low security zone from high security zone???

when i try to ping 192.168.3.3 ,

i got reply from 10.24.112.254 but RTO onwards.......

any help ???

New Member

Re: Accessing low security zone

Hi,

natting is not required between routed interfaces. Can post your config so that we can have clarity in the configuration part.

Thanks

AP

New Member

Re: Accessing low security zone

hi, default rule permits higher security level to lower one, but you to configure access list for accessing lower one to higher.

New Member

Re: Accessing low security zone

You need to touch the router and the firewall. Below assumes everything is class C subnetted.

In the router you will need a route:

!

ip route 192.168.3.0 255.255.255.0 10.24.112.254

!

Traffic will know how to get from the router to this network, which is behind the firewall. You seem to already have this covered so if you look at the firewall logs you should see an entry that states there is no translation group available.

So in the firewall you will need to allow access, and you will need to create the proper statics.

!

!This permits the traffic via ACL

!

access-list dmzList permit ip 10.24.112.0 255.255.255.0 192.168.3.0 255.255.255.0

!

access-group dmzList in interface dmz

!

!

!This translates the traffic to itself

!

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

!

The above is typed by hand so please forgive any typos :-)

edit:

Obviously after I type the above I notice that I have the security on the interfaces backwards. :-/

What do your firewall logs say?

228
Views
0
Helpful
5
Replies
CreatePlease to create content